hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBO3FG CVE: NA -------------------------------- When cifs_sb->rsize is 0, cifs_send_async_read() fails to allocate the pages array using iov_iter_get_pages_alloc(), resulting in data->pages being NULL. This eventually triggers a NULL pointer dereference in the callback function uncached_fill_pages(). cifs_sb->rsize is set to the minimum value between SMB3_DEFAULT_IOSIZE and server->max_read. SMB3_DEFAULT_IOSIZE is 4MB. There are two reasons that cause cifs_sb->rsize to be 0: 1. During the negotiation process, if the server returns an rsp->MaxReadSize of 0, server->max_read is assigned 0. And the calculated value of cifs_sb->rsize becomes 0. 2. In the cifsd thread, if cifs_reconnect() is invoked, server->max_read is set to 0. Prior to the completion of the reconnection process, the calculated value of cifs_sb->rsize becomes 0. It is important to note that cifs_sb->rsize is only set to 0 during the mount phase. Therefore, a straightforward approach to prevent potential NULL pointer dereferences in the future is to implement a check for cifs_sb->rsize during the mount stage. If the value is found to be 0, the mount process should exit early to avoid any subsequent NULL pointer dereferences. Fixes: aa24d1e96924 ("CIFS: Process reconnects for SMB2 shares") Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com> --- fs/cifs/connect.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index d64e4a2b1a9b..0a31685cdf53 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -4192,6 +4192,10 @@ static int mount_get_conns(struct smb_vol *vol, struct cifs_sb_info *cifs_sb, cifs_sb->wsize = server->ops->negotiate_wsize(tcon, vol); cifs_sb->rsize = server->ops->negotiate_rsize(tcon, vol); + if (cifs_sb->rsize == 0) { + cifs_dbg(VFS, "Negotiated rsize is 0, get connect failed\n"); + return -EINVAL; + } return 0; } -- 2.34.3